Security Bulletin: IBM TS3500 Tape Library Update for Security Vulnerability in Web User Interface (CVE-2012-5767)

DESCRIPTION:

An authorized user of the TS3500 web user interface could exploit a vulnerability that would give that user a higher level of access than originally granted. However, the TS3500 web user interface continues to prevent any user from accessing data that is read from, written to, or stored on tape media.

The IBM TS3500 tape library firmware has been updated to contain a fix for this vulnerability.


CVEID: CVE-2012-5767
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80272 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)


AFFECTED PRODUCTS AND VERSIONS:
All TS3500 tape libraries with firmware versions lower than C260.


REMEDIATION:
The recommended solution is to apply the fix, which is contained in firmware version C260 and above.


Fix:
Apply firmware version C260 or later, available from IBM Fix Central http://www-933.ibm.com/support/fixcentral/


Workaround(s):
None


Mitigation(s):
Only provide remote login access to persons that can be trusted not to attempt to hack into a higher level of access permissions, or only provide remote login access to persons with administrator privileges (where there is no higher level access to hack into).


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2012-5767
· X-Force Vulnerability Database http://xforce.iss.net/


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Narodowe Archiwum Cyfrowe (National Digital Archives).